2023 is fast turning into Africa’s annus horribilis as the continent processes the economic and emotional trauma of three mega catastrophe loss events. On 6 February, a 7.8 magnitude earthquake devastated large parts of Turkey-Syria; on 8 September, a 6.8 magnitude earthquake ‘landed’ in central Morocco; and just two days later, torrents of water swept large portions of the Libyan port city of Derna into the sea.
The economic loss and damage caused by these catastrophes are dwarfed by the emotional pain and suffering. At the time of writing the death toll from the Turkey-Syria event had reached almost 60,000; the Morocco quake toll stood just short of 3,000; and the Libya floods had claimed more than 10,000 lives and counting. It is difficult to process these numbers; but combined we are talking about the full attendance at a large football stadium being wiped from the face of the earth, each supporter leaving behind dozens of family and friends. Africa Ahead publisher, Liz Booth, explores these events further in an intriguing piece, titled ‘North Africa rocked by series of catastrophic events, revealing the human cost of low insurance penetration rates‘.
For those who can stomach watching, drone footage shows Armageddon-like landscapes of flattened buildings, and, in Libya’s case, a deep scar tracing the path of the Wadi Derna river to the Sea. Early comment following the catastrophe points to an overlap of manmade and natural factors being to blame. Storm Daniel, a Mediterranean tropical-like cyclone, caused widespread flooding, which in turn caused an allegedly poorly maintained dam wall to break. The role of extreme weather is not in dispute; but the long-term infrastructure neglect in a country beset by political upheaval over decades cannot be ignored.
The graphic, tangible damage caused by earthquake and flood perhaps explains why cyber risk, a systemic risk that presents significant sustainability challenges to the global insurance and reinsurance industries, is so easily relegated. Data breaches and ransomware do not, after all, result in grief and/or physical pain. In this context, it is not surprising that the 106,000 ‘backdoor and spyware’ attacks that afflicted South Africa, and the 46,000 attacks in Nigeria, hardly get a mention. These statistics were reported by multi-national cybersecurity and anti-virus provider Kaspersky for the first three months of 2023.
The fact that cyberattacks do not rip cities apart or leave thousands of bereaved in their wake has contributed to a type of complacency among risk professionals. Fortunately, there is a growing awareness that cyber risks transcend individual companies to threaten regions and entire countries. South Africa is no stranger to this reality, having suffered widespread logistics chaos following a cyber sabotage event at Transnet in late July 2021.
More recently, an alleged ‘hack’ of the South African National Defence Force (SANDF) infrastructure illustrated the contingent risks that cyberattacks open. Local news service EWN reported that a group called Snatch claimed to have extracted 200 terabytes of defence data; the SANDF has vehemently denied the claim. The good news is that South African firms are starting to pay closer attention to their cyber-risk exposures.
In early September, Aon South Africa released its 2023 Cyber Risk Survey for that country, providing insights on current trends in cyber-risk governance. “The survey offers commentary on the future direction of cybersecurity, given the rapidly evolving manner of the risk, its solutions and legislative policies,” said Zamani Ngidi, Cyber Solutions Senior Client Manager, in a press statement accompanying the survey. The survey found that:
• 22% of respondents suffered a cyber incident in the past five years;
• 67% of participants deploy a cyber-risk management tool;
• 50% of respondents have board-level cyber champions; and
• 72% of participants purchase cyber insurance cover.
Although impressive, these statistics mask an industry that is reactive rather than proactive when it comes to emerging systemic risk. In fact, the survey found that many companies pay lip service to their cyberattack resilience until they suffer an actual cyber incident. Case in point, all of the respondents who had suffered a cyberattack subsequently availed of a full stack of cyber-related covers and tools … Fewer than half of the entire survey sample had taken similar steps.
Cyber-risk management assessment and subsequent mitigation can be costly, and the survey showed a definite correlation between revenue and cyber-risk management. Only 43% of South African companies with an annual turnover of less than ZAR100m (around USD5.3m) deployed cyber-risk management tools compared to 80% of companies with revenue exceeding that amount.
“This points to two possible scenarios, where smaller companies are finding the cost of proactive risk management too high, or it could point to a perception that the risk is only reserved for companies with a higher revenue bracket,” Mr Ngidi explained. The challenge is to get South African businesses (and their African peers) to weigh up the cost of cyber-risk mitigation against the costs consequent a successful cyberattack or data breach. Overall, the resilience and sustainability benefits of proactive risk management and risk mitigation exceed the cost of such programmes by some margin.
From an Aon South Africa perspective, the focus should be on awareness, cyber-risk management and risk transfer. Under the first heading, firms were encouraged to identify cyber champions at board level, to ensure that adequate resources are directed to protecting these firms from cyber risks. Cyber-risk management, meanwhile, demands a better understanding of the return on investment (ROI) from cyber-related risk mitigation.
As for risk transfer, the report concluded that firms should consider an appropriate balance of cyber and related liability insurances. “Companies should consider applying quantification metrics to substantiate the limits purchased, and conduct an insurability analysis to ensure that the business’ top cyber risks are well protected relative the insurance portfolio,” they wrote, calling on firms to consider cyber-risk management assessments and cyber impact analyses.
The survey concluded that cyber-risk awareness was on the rise; but that senior leaders within firms remained unclear on how to effectively protect against it. As a consequence, businesses lack resilience against cyberattack. “The lack of consistency of approach to cyber-risk management leads to inadequate balance sheet protection against the materialisation of cyber-related losses,” Aon South Africa concluded.